Crypto news

20.06.2026
07:35

Weekly analytics: crypto clippers on steroids, next-gen USB worm, and South Korean crackdown

security_new1

The world of cybersecurity continues to deliver surprises, and this week we witnessed a series of attacks that force a rethinking of conventional approaches to protecting digital assets. From complex multi-layered social engineering schemes to hardware vulnerabilities, threats are becoming increasingly sophisticated.

Fake Reputation as a Weapon: Crypto Clippers on GitHub and YouTube

Attackers have demonstrated a new level of skill by using legitimate marketing tools to create false trust. As part of a large-scale campaign, hackers deployed an entire "reputation economy" to inject crypto clippers disguised as trading tools for Solana and Pump.fun.

The clipper, written in Rust, targets Windows and macOS. Its task is to monitor the clipboard and instantly swap wallet addresses with the attacker's details. But the main feature is the infrastructure of "Ghost Networks." Fake accounts on VirusTotal, GitHub, SourceForge, and YouTube coordinately inflate likes, comments, and downloads. On SourceForge, the counter was artificially boosted to 44,000 using a farm of Android devices. A YouTube channel with 91,000 subscribers uses AI voices to create tutorial videos. This is a dangerous precedent: a successfully tested scheme could be used to distribute ransomware and info-stealers.

USB Worm: Self-Replication via Hidden Windows Shortcuts

Microsoft experts have revealed details of a campaign where a USB worm uses a self-replication technique, hiding in modified .LNK files. When such a shortcut on a flash drive is opened, the malware downloads a payload from a .onion server, scans the system for documents, hides them, and replaces them with malicious shortcuts bearing the same names.

The worm creates a scheduled task that monitors the connection of new USB drives and instantly copies itself to them. It is only active if "Task Manager" is not running. The stealer monitors the clipboard every half second for BIP39 seed phrases and addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it performs an instant swap. Every ten seconds, it takes five screenshots. Indicators of compromise are behavioral: unexpected launches of wscript.exe, cscript.exe, Curl, PowerShell, and connections to localhost:9050.

South Korea: Dismantling a Money Laundering Network for a Cambodian Syndicate

South Korean law enforcement arrested 23 individuals involved in laundering money for a Cambodian phishing organization. The network used complex routing through 11,300 accounts on domestic and foreign exchanges. Between February 2024 and April 2025, 11.1 million USDT was moved, linked to $17 million stolen in 265 incidents. $430,000 was seized, but the organizer is wanted via an Interpol "Red Notice."

Android Trojan Rokarolla: 137 Commands for Full Device Takeover

Zimperium researchers discovered the Rokarolla trojan, which spreads through fake websites masquerading as TikTok or Google Chrome. After installation, it mimics the Google Play Protect system component and forces the user to grant access to "Accessibility Services." Once obtained, the trojan disables the real Play Protect and deploys a full arsenal of 137 remote commands.

Rokarolla intercepts PINs, reads SMS, swaps the clipboard to steal cryptocurrencies, and even blocks incoming calls to prevent the victim from receiving a bank alert. A separate overlay mimics the Android lock screen, allowing the theft of the password. This once again confirms: the main defense is vigilance when granting permissions for "Accessibility Services."

Apple Fixes Vulnerability in Beats Studio Buds

Apple has released a firmware update for Beats Studio Buds, closing the critical vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne, allowed hackers within Bluetooth range to connect to the headphones without authentication and use the built-in microphone for spying. The exploit also provided access to read and rewrite memory, as well as intercept trust relationships with paired devices. The fix was released in version 1B211.

Expert Opinion: This week has shown that we are entering an era of hybrid attacks, where social engineering and technical vulnerabilities merge into a single entity. Particularly alarming is the creation of fake reputations on crowdsourcing platforms — this undermines the very foundation of trust in open ecosystems. For users, this means that trust cannot be placed in likes, stars, or even "verified" channels. The only reliable shield is one's own cyber hygiene and multi-factor authentication.